Static Analysis of The DeepSeek Android App - 36-2

I performed a fixed analysis of DeepSeek, a Chinese LLM chatbot, using variation 1.8.0 from the Google Play Store. The goal was to determine potential security and privacy issues.

I have actually composed about DeepSeek previously here.

Additional security and personal privacy issues about DeepSeek have actually been raised.

See also this analysis by NowSecure of the iPhone version of DeepSeek

The findings detailed in this report are based simply on static analysis. This implies that while the code exists within the app, there is no conclusive proof that all of it is carried out in practice. Nonetheless, it-viking.ch the existence of such code warrants scrutiny, particularly offered the growing issues around information personal privacy, security, the potential misuse of AI-driven applications, and higgledy-piggledy.xyz cyber-espionage characteristics in between worldwide powers.

Key Findings

Suspicious Data Handling & Exfiltration

- Hardcoded URLs direct data to external servers, raising concerns about user activity monitoring, such as to ByteDance "volce.com" endpoints. NowSecure recognizes these in the iPhone app yesterday as well.

Bespoke encryption and information obfuscation methods are present, with indicators that they might be utilized to exfiltrate user details.
The app contains hard-coded public keys, instead of relying on the user device's chain of trust.
UI interaction tracking catches detailed user behavior without clear permission. - WebView manipulation is present, which might enable the app to gain access to private external web browser data when links are opened. More details about WebView adjustments is here

Device Fingerprinting & Tracking

A significant portion of the evaluated code appears to focus on gathering device-specific details, which can be utilized for tracking and fingerprinting.

- The app gathers numerous special device identifiers, consisting of UDID, Android ID, IMEI, IMSI, and provider details.
System homes, installed plans, and root detection mechanisms suggest potential anti-tampering steps. E.g. probes for the existence of Magisk, a tool that personal privacy supporters and security researchers use to root their Android devices.
Geolocation and network profiling are present, suggesting possible tracking abilities and allowing or disabling of fingerprinting routines by region. - Hardcoded gadget model lists recommend the application might behave in a different way depending on the detected hardware.
Multiple vendor-specific services are used to draw out additional gadget details. E.g. if it can not determine the device through basic Android SIM lookup (since permission was not granted), it tries manufacturer specific extensions to access the exact same details.

Potential Malware-Like Behavior

While no definitive conclusions can be drawn without vibrant analysis, several observed behaviors align with known spyware and malware patterns:

- The app uses reflection and UI overlays, which might facilitate unapproved screen capture or phishing attacks.
SIM card details, identification numbers, and other device-specific information are aggregated for unidentified functions.
The app implements country-based gain access to constraints and "risk-device" detection, recommending possible security mechanisms.
The app executes calls to load Dex modules, where additional code is packed from files with a.so extension at runtime.
The.so files themselves reverse and make additional calls to dlopen(), which can be utilized to load additional.so files. This center is not normally inspected by Google Play Protect and other fixed analysis services.
The.so files can be executed in native code, such as C++. The use of native code adds a layer of intricacy to the analysis procedure and obscures the full level of the app's capabilities. Moreover, native code can be leveraged to more quickly escalate opportunities, potentially exploiting vulnerabilities within the system or device hardware.

Remarks

While information collection prevails in contemporary applications for debugging and fakenews.win improving user experience, aggressive fingerprinting raises considerable privacy concerns. The DeepSeek app requires users to visit with a valid email, which must currently supply enough authentication. There is no valid factor for the app to strongly gather and transmit special device identifiers, IMEI numbers, SIM card details, and other non-resettable system homes.

The degree of tracking observed here surpasses normal analytics practices, possibly allowing relentless user tracking and re-identification across gadgets. These habits, integrated with obfuscation methods and network communication with third-party tracking services, require a higher level of scrutiny from security scientists and users alike.

The work of runtime code loading in addition to the bundling of native code suggests that the app could allow the implementation and forum.altaycoins.com execution of unreviewed, from another location delivered code. This is a serious potential attack vector. No proof in this report exists that remotely released code execution is being done, only that the facility for this appears present.

Additionally, the app's technique to discovering rooted devices appears excessive for an AI chatbot. Root detection is often justified in DRM-protected streaming services, where security and content defense are crucial, or in competitive computer game to avoid unfaithful. However, there is no clear reasoning for wiki.vst.hs-furtwangen.de such rigorous steps in an application of this nature, raising more questions about its intent.

Users and companies considering installing DeepSeek needs to know these possible dangers. If this application is being utilized within an enterprise or federal government environment, extra vetting and security controls must be implemented before allowing its release on managed devices.

Disclaimer: The analysis provided in this report is based on fixed code review and does not indicate that all detected functions are actively utilized. Further examination is required for conclusive conclusions.